This will be fun to watch. Dan Kaminsky has sort-of published  not-so-sekret ways to break DNS. Patches have been released to make things more random. "Full" disclosure at BlackHat.

From ISC:

"The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent, thereby increasing the variability of parameters in outgoing queries."

I laughed with mirth and glee at the Emergent Chaos comment:

"DJBdns is in fact not affected as DJB had already implemented port randomness even though he didn't know it was an issue."

This means *all* DNS (except DJBdns) is vulnerable, many vendor patches to follow. Although, DNSSEC is the *right* answer.

• CVE
• CERT VU
• Microsoft